Fraud Management & Cybercrime
,
Ransomware
Ransomware Attacks Pummel Critical National Infrastructure Sectors, Experts Warn
The oil and gas sector in Pakistan is on high alert following a ransomware attack against the state-owned oil and gas company – an instance of ransomware impacting critical infrastructure in a year that has already tallied hundreds of incidents.
“Pakistan Petroleum has been impacted severely and some other organizations were also attacked, but our deployed system is detecting and blocking it continuously,” Imran Haider, a spokesman for Pakistan’s National Cyber Emergency Response Team told Arab News. The company supplies more than a fifth of the nation’s national gas supplies.
Attackers used “Blue Locker” malware, with NCERT warning that it can infect Windows systems and cloud environments as well as network-attached storage and backups. Cyber defenders said ransomware deployed by hackers appears to be based on Shinra malware.
Attackers left a ransom note and emailed multiple Pakistan Petroleum workers. “We have stolen some of your business data and employee information,” the message said, reported Pakistan Today. “If you don’t contact us with a quote, we will report the hack to mainstream media and release your data to social media and competitors.”
The incident is a reminder than critical infrastructure is a ransomware target, whether by financially motivated cybercriminals or as a front for nation-state hacking. As with distributed-denial-of-service attacks launched by self-proclaimed hacktivist groups, the purpose of such attacks can be to cause chaos and undercut confidence in national authority or make threats from adversarial nations (see: Hacktivists’ Claimed Breach of Nuclear Secrets Debunked).
Cybersecurity firm Resecurity said strings in the malware suggest it could have a Chinese origin. But the Chinese language indicators could be a false flag. Investigators in another case involving ransomware that identified itself as “Shinra” turned out to be part of the Proton ransomware family, which has probable Iranian origins.
Other threat actors are already attempting to capitalize on the incident, which occurred on Aug. 6. “Around the time the official NCERT notification was released, several actors were identified attempting to socialize a possible breach originating from Pakistan Petroleum via the darkweb,” Resecurity said. “Based on our assessment, these claims were likely false or used to amplify the narrative surrounding the consequences of a cyberattack involving the Blue Locker ransomware,” potentially by the operators themselves.
Under Fire: Critical Infrastructure
Industrial organizations across the globe weathered 657 known ransomware attacks during the second quarter, tallied operational technology firm Dragos in a Thursday report. The number is roughly equivalent to the 708 such incidents it counted during the first three months of the year.
Initial access brokers also offered expanded options for targeting industrial sectors and multiple groups worked on refining social engineering tactics, Dragos said. This included affiliates of the Three AM ransomware group spoofing the telephone number of an organization’s IT department.
“One reported attack included the deployment of a virtual machine to a compromised computer, providing the ransomware operators with an initial foothold hidden from the view of endpoint protection software,” Dragos said. “Organizations should educate staff on the exact ways IT support will contact them and which tools they will use to provide remote technical support, so they can recognize social engineering efforts.”
One notable victim was Nova Scotia Power, which in May identified a breach that began on March 19 and ran until April 25. The utility provides power to 95% of the Canadian province, spanning 550,000 residential, commercial and industrial customers. In its breach notification, it said the attack exposed 280,000 customers’ personal details, including names and contact information, plus driver’s license numbers, social insurance numbers and bank account details. The attack disrupted the utility’s ability to read customers’ meters.
Calls for OT Asset Management Grow
One challenge for cyber defenders is that many types of industrial control systems are publicly accessible over the internet, the U.S. government warned last month. Many attackers focus on exploiting ICS devices with known flaws that organizations have failed to patch or otherwise mitigate, it said (see: Infrastructure Operators Leaving Control Systems Exposed).
Government calls for CNI operators to better understand and lock down their infrastructure are growing. Member of the Five Eyes intelligence alliance, comprising Australia, Canada, New Zealand, the United Kingdom and the United States, on Wednesday released new guidance calling on operational technology owners and operators in every critical national infrastructure sector to take steps to better understand and catalog their infrastructure.
The guidance calls on operators to catalog their OT software and hardware assets and regularly update that list. It also recommends each organization create their own OT taxonomy, defined as being “a categorization system that organizes and prioritizes OT assets” based on their functionality and criticality, to better identify risks, manage vulnerabilities and facilitate faster incident response.
